Method and apparatus for combining traffic analysis and monitoring center in lawful interception

ABSTRACT

A method and apparatus for integrating intercepted information with information obtained from an at least one data retention source, the method comprising receiving intercepted information from an interception source, receiving information from a data retention source, and analyzing the information received from the data retention source, in association with the intercepted information. The intercepted information can comprise meta data related to the intercepted communications, and/or the contents of the communication themselves. This enables a user such as a law enforcement agency to reveal possibly indirect connections between target entities s wherein the connections involve non-target entities. The method and apparatus combine interception and content analysis methodologies with traffic analysis techniques.

RELATED APPLICATION

The present invention relates and claims priority from a PCT applicationhaving serial number PCT/IL2006/000591 and filing date of May 18, 2006.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method and apparatus for a lawenforcement monitoring center in general, and to the integration of dataobtained from lawful interception with data retention reservoirs, inparticular.

2. Discussion of the Related Art

Traditional lawful interception relies mainly on intercepting phonecalls of known targets, for which warrants had been issued. Modernlawful interception comprises intercepting additional communicationmeans used by the known targets, including computerized sources such ase-mails, chats, web browsing, VOIP communications and others. Theprocess of monitoring a target includes analysis of the capturedinformation and related meta data using a variety of technologies,displaying different data sources on the same platform, and managing theentire workflow of one or more investigators. However, all theinformation can be captured only for known targets through the issuanceand usage of warrants.

On the other hand, traffic analysis, which may rely on a variety ofcommunication traffic information, including data retention sources suchas call detail records (CDR), IP detail records (IPDR), or dataretention of any communication traffic, uses large volumes of meta datain order to deduce connections between entities, whether the entitiesthemselves are a-priori known or not. In the lawful interceptioncommunity, traffic analysis performed upon data retention sources can beused to draw meaningful conclusions related to additional targets,communication types, communication patterns, and the like. CDR, IPDR, orData Retention of any communication traffic as collected bycommunication providers, and advanced data mining, analysis andvisualization performed upon them, can be a powerful tool for lawenforcement agencies. However, most of the data is banned due tosecurity and privacy limitations. Only data items authorized through awarrant, which is specific to a known target can be provided to and usedby the law enforcement agencies.

Thus, there is a significant gap between the available information ascollected through lawful interception, as well as CDR, IPDR, or dataretention of any communication traffic as collected for example byservice providers, and those parts of the collected information that canbe lawfully used for improving the work of law enforcement agencies.

There is therefore a need for an apparatus and method that will enablelaw enforcement agencies to use CDR, IPDR, or Data Retention of anycommunication traffic, as collected by service providers to enhance andprovide insight and information to lawful interception, withoutviolating privacy or security rules.

SUMMARY OF THE PRESENT INVENTION

It is an object of the present invention to provide a novel method andapparatus for combining data collected through lawful interception, anddata collected through usage of mining, analysis, or visualizationtools. In accordance with the present invention, there is thus provideda method for integrating intercepted communication traffic data orcommunication traffic content with an at least one stored record, themethod comprising the steps of receiving intercepted communicationtraffic data or communication traffic content from an interceptionsource; receiving one or more stored record from a data retentionsource; and analyzing the stored records in association with theintercepted communication traffic data or communication traffic content.Within the method, the stored record can be a communication trafficstored record, or a non-communication traffic stored record, such as acustomer record, a financial record, or a travel record. The method canfurther comprise a querying step for querying the data retention sourceor a data retrieval step according to one or more criteria. The storedrecord can comprises information which is a response to a queryaddressed to the data retention source. The method can further comprisea display step for displaying information to a user. The display stepcan display any one of the following: a result associated with theanalyzing step, raw data, or information related to an operationperformed by the user. The display step can provides graphicpresentation of information, which can comprise one or more connectionmaps. The display step can also provide textual presentation ofinformation. The method can further comprise an abstraction step foreliminating information from the stored records. The information beingeliminated can be identifying information. The method can furthercomprise a formatting step for formatting intercepted communicationtraffic data or communication traffic content or a stored record. Themethod can further comprise a storing step for storing interceptedcommunication traffic data or communication traffic content, or a storedrecord. The storing step can store the intercepted communication trafficdata or communication traffic content, or the stored record in adatabase.

Another aspect of the disclosed invention relates to an apparatus forintegrating intercepted communication traffic data or communicationtraffic content with one or more stored records, the apparatuscomprising: one or more storage devices for storing the interceptedcommunication traffic data or communication traffic content or thestored records; one or more servers comprising one or more engines forprocessing information stored in the storage device; one or morecomputing platforms comprising one or more display devices fordisplaying to a user one or more results obtained by the engines; andone or more connections to one or more service provider databases.Within the apparatus, the engines can be is any of the group of: ananalysis engine; a query engine; a filtering engine; or a securityengine. The apparatus can further comprise one or more interceptionengines for capturing one or more records from the service providerdatabases. The storage device can be associated with a monitoring centerdatabase or with a call detail record database or with an interneprotocol detail record. The servers can be in communication with one ormore databases of one or more service provider.

Yet another aspect of the disclosed invention relates to a computerreadable storage medium containing a set of instructions for a generalpurpose computer, the set of instructions comprising: receivingintercepted communication traffic data or communication traffic contentfrom an interception source; receiving one or more stored records from adata retention source; and analyzing the stored records in associationwith the intercepted communication traffic data or communication trafficcontent.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be understood and appreciated more fully fromthe following detailed description taken in conjunction with thedrawings in which:

FIG. 1 is a flowchart showing the main steps and information sources, inaccordance with a preferred embodiment of the disclosed invention;

FIGS. 2A, 2B, and 2C are schematic illustrations showing examples todata that can be obtained using a preferred embodiment of the disclosedinvention;

FIG. 3 is an illustration of a connection map in accordance with apreferred to embodiment of the disclosed invention; and

FIG. 4 is a block diagram showing the main components of an apparatus inaccordance with a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention overcomes the disadvantages of the prior art byproviding a novel method and apparatus for the integration of storedrecords and products of analyzing the same, with data and meta datacollected using lawful interception systems, and products of analyzingthe same. The stored records can include communication traffic such asretained Call Data Records (CDR), Internet Protocol Data Records (IPDR),data retention of any communication traffic, or additional sources ofnon-communication related data including databases such as customersdatabases; financial records including for example transactions,accounts ownership or credit cards record; travel records includingairlines, hotels, border control and additional sources or record types.

The current situation results in increasing legislation which forcesservice providers, such as telephone, cellular, internet, networkoperators, service providers, financial institutes, airlines, or othercompanies for higher degree of data retention than in the past. Forexample, it is now becoming mandatory by law in the European communitycountries for telephone, cellular and internet service providers toretain meta data on their systems for a fixed amount of time. Theretained data comprises communication traffic stored records andgenerally consists of meta data related to a communication, rather thanthe communication itself Even partial meta data, excluding identifyingdetails of the communicating entities, when combined with data, metadata and analyzed data collected through lawful interception can providevaluable information, without violating the security or privacy ofentities for which no warrant exists that allows interception. Supposefor example, that a law enforcement investigator suspects that a personA is in contact with a person B, but no direct communication is detectedwhen lawfully collecting communications of A and B. However, analyzingCDRs of a telephone company can show that A communicated with C,followed by C communicating with D, and D communicating with B, whereinneither C nor D are targets. Another possibility is that C and D did notcommunicate directly, but via additional one or more non-targets. Thecommunication between C and D is a link that is thus unavailable to theinvestigators, in the case that C, D, or any other entity on thecommunication chain, is not a target. Thus, presenting the communicationchain details, even without revealing the identities of the non-targetson the communication chain, provides valuable information to theinvestigator. Analyzing data from data retention sources is sometimescalled traffic analysis. Fusing intercepted data or its products, withdata obtained from traffic analysis, can thus enrich the understandingof an investigator, and provide important information related totargets. Displaying in a convenient, possible graphic manner the fusedinformation may also provide an investigator with valuable information,while enabling him or her focus on those parts that are of interest forthem and not be overwhelmed by access irrelevant information. Combiningtraffic analysis techniques can thus assist in identifying suspectsbased on communication patterns, identifying additional communicationdevices of known targets, identifying groups related to targets andrelations within a group, and finding direct or indirect links betweentargets.

Referring now to FIG. 1, showing a flowchart of the main steps andinformation sources used in a preferred embodiment of the disclosedinvention. The disclosed invention uses information acquired from lawfulinterception sources 100, such as captured or recorded or otherwiseacquired phone conversations, possibly with automatic or manualtranscription, e-mail messages, chat sessions, web browsing history,voice over IP (VoIP) communications, faxes, video recordings or otheractivity or communications. The data optionally includes meta data, dataand products of analysis performed on the data. For example, in a phoneconversation, the data may include details such as the calling number,the called number, date and time or the like. The data itself consistsof the voice recording, and analysis products include for example amanual or automatic transcription of the call, specific words or phrasesspotted within the call or other analysis products. An additional sourceof information is data retention sources 104, preferably comprising metadata such as communication traffic stored records, financial data,customer data, travel data or the like. Examples for meta data includetelephone call details as mentioned above, IP address from which aperson engaged in a chat session and the duration of the session,details of an e-mail message, travel records, financial records such ascredit card uses or the like. The distinction between actual data andmeta data is sometimes blurred, for example the subject of an e-mailmessage can contain actual data or just meta data. The information fromdata retention sources 104 optionally goes into abstraction step 108,which eliminates details, preferably identifying details which mayinclude names, telephone numbers, or the like. Optionally, only dataitems retrieved in response to querying step 128 detailed below enterabstraction step 108. Alternatively, all the information received from adata retention source enter abstraction step 108. Abstraction step 108enables the service providers to supply the data to law enforcementagencies without infringing their non-target customers' privacy. Theabstraction can be performed, for example, by assigning a pseudo-name ornumber comprising arbitrary character strings to details of a call thatshould not be exposed. In yet another embodiment, abstraction step caneliminate technical details such as communication device and details, sothat an investigator can focus on the essence of a communicationregardless of its type. At formatting step 112, information from LIsources 100 and from retention sources 104 which has been abstracted atabstraction step 108 is formatted into a common formatting so that dataof both sources can be referred to and used together, in order to obtainmaximal insight. At storing step 116, the formatted data is storedtogether in common DB 120. At analyzing step 124, the system accordingto the disclosed invention analyses the data that was received from dataretention sources 104, in association with information received from LIsources 100. For example, such analysis can reveal indirectcommunication between two targets whose communications were interceptedbut had not revealed direct communication between them. Alternatively,the data collected at common DB 120, is analyzed in a similar manner tocurrently available methods, but taking into account also theinformation added from data retention sources 104. The common analysisis performed whether the data form data retention sources 104 was addedto common DB 120 in association with the current investigation, or not.For example, a user can ask whether there was indirect communicationbetween target A and target B, on a certain date range. However, inorder to obtain information, such as in the examples discussed inassociation with FIG. 2 below, the analysis might require a queryingstage 128, for addressing a query to and receiving retrieved additionalinformation from data retention source 104. Data can be retrieved fromdata retention source 104 in response to queries related to any one or acombination of multiple criteria, such as the location of a telephone,cell ID, an area code or a prefix of a telephone number, a country code,a communication device or network such as a prepaid account or publicphone, an IP set of addresses, an IP port range, IP application type, atime frame etc. Alternatively, the criteria can relate to other fields,such as traveling, crossing borders, performing financial transactionsor the like. In yet another alternative, the used criteria can be acombination of two or more single parameters, such as those detailedabove. The retrieved data passes is abstraction step 108, formattingstep 112, and storing step 116 as detailed above. One or more results ofanalysis step 124 are then presented to a user at displaying step 132.The display can be textual, graphical, or take any other form thatexhibits the results of analysis step 124, raw data, operationsperformed by a user such as queries, and other data that is of interestto the user. If the results of analysis step 124 show the necessity ofexposing the identity of a non-target, the user can then use theinformation for preparing an evidence to be shown to a judge or anotherauthority, and ask for the issuance of a warrant for the non-target,thus converting it into a target.

Referring now to FIGS. 2A, 2B, and 2C showing examples for possible usesof the method and apparatus. In both FIG. 2A and FIG. 2B, MC data 200represents the data collected in a monitoring canter, which can includemeta data related to communication items, the actual data of thecommunication such as the voice, and products of analysis of the data,such as transcript, spotted words, emotion level of the communication orthe like. In both figures, data retention reservoir 204 represent datacollected by one or more service providers, which is provided to a lawenforcement organization. Data retention reservoir 204 is optionallypartial and does not contain identifying details, but only technicaldetails such as call date, time, and duration, IP address, travelrecord, financial transaction, or the like. In FIG. 2A, the investigatoris interested in possible connection between person A and person B, bothbeing known targets, and their communications intercepted. However, Aand B, who are probably aware of being targets, refrain from directcommunication. In FIG. 2A, P, N and M are all non-target entities, whosecommunications are generally not intercepted, unless they arecommunicating with a target. Thus, in order for A to communicate with B,A communicates with N at step 208, which is intercepted since A is atarget, N communicates with P at step 210, a communication which is notintercepted since neither P nor N are known targets, and P communicateswith B at step 220, which is intercepted, but can not be used tocomplete the A-B communication since the N-P communication is notavailable through interception. Alternatively, it is is possible thateven N and p do not communicated directly but rather N communicates withM at step 212 and M communicates with P at step 216, which can alsosupport the connection A-B. All mentioned communications must be timedin a manner that enables the deduction of A-B communication, i.e. 208preceding 210 (or 212, which in turn precedes 216) which precedes 220.The N-P or N-M-P communication, with acceptable timing, can be revealedusing analysis tools, such as I2 (www.i2inc.com/) or Tom Sawyer(www.tomsawyer.com). Once the communications have been detected, aninvestigator can also ask for a warrant against N, M, or P, in responseto which the service provider will have to expose N, M, or P's identityand intercept their future communications. Other important outputs are,for example, detecting communication patterns, including times, timegaps, number of links, group structure and relation or persons betweengroups, or the like, which can provide important information for aninvestigator, for a current investigation as well as to future ones.

Referring now to FIG. 2B, showing another possible usage of the system.In FIG. 2A the situation was based solely on meta data, both from MCdata 200 and form CDR/IPDR data 204. However, in FIG. 2B, some of theconnections are deduced from products of MC data 200. In FIG. 2B, theinvestigator is interested in assessing a communication between D and E.By intercepting and analyzing D's communications, for example byspotting the name of K in D-J communication 222, the investigatordeduces that K might be involved although it is not apparent, and thuscommunication 232 between D and K is intercepted, Then, it is possiblethrough analysis to deduce K-H communication 228 and H-E communication224. If all communications are timed in a manner that enables the D-Eindirect communication, then the missing link is found.

Referring now to FIG. 2C, showing another possible usage of the system.In FIG. 2C area 236 represents one or more records in data retentionreservoir 204 which comply with a certain data researching criteria.Such criteria could be for example the location of a telephone, cell ID,an area code or a prefix of a telephone number, a country code, acommunication device or network such as a prepaid account or publicphone, an IP set of addresses, an IP port range, IP application type, atime frame etc. Alternatively, said criteria can be a combination of twoor more single parameters, such as those detailed above. Q in MC data200, retrieved at step 240 represents one or more results which areknown targets in the system, and S, retrieved at step 244 represents orone or more results which are new targets or new candidates to betargets in the system, as discovered by the analysis of data retentionreservoir 204.

It will be appreciated by a person skilled in the art that the threeexamples are provided to merely demonstrate possible uses of varioustools in the system, including content analysis tools on MC data 200,such as word spotting, and analysis tools such as such as I2(www.i2inc.com) or Tom Sawyer (www.tomsawyer.com) on both MC data 200and CDR/IPDR data 204. It will be apparent to a person skilled in theart that additional tools exist, and additional situations in whichdifferent tools and tool combinations are used to detect communications,entities and other data items relevant for the law enforcement agency.

Reference is now made to FIG. 3, which is an illustration of a possibleconnection map generated by an analysis tool, designed to work on dataretention sources 104 of FIG. 1, possibly in conjunction with data fromLI sources 100 of FIG. 1. The analysis tool detects connections betweenentities in the system, and provides textual or graphical representationof the detected connections and preferably their intensity. Theconnection map shown in FIG. 3 comprises vertices representing entities,the vertices being connected by edges representing connections betweenentities. For example, the entities can represent persons and the edgescan represent that communication took place between the two persons,wherein the width of the edge is indicative to the intensity of thecommunications between the two persons. Preferably, a thicker lineindicates more intensive communication between the persons.Alternatively, vertices can represent documents, such as e-mails,transcription of phone conversations, articles or other documents, andedges can represent the similarity between the documents, wherein awider edge represents a higher degree of similarity between the twodocuments it connects. Clicking or otherwise requesting to see thecontents of a vertex preferably shows the details of the vertex, underthe relevant security limitations. For example, if a vertex represents aperson, his or her details will be shown if he is a known target forwhich a warrant exists, and if the vertex is a document it will bepresented, if allowed, possibly together with its source. Clicking orotherwise pointing at an edge that represents communications can open alist of actual communications between the participants of thecommunication and show details and possibly the contents of one or morecommunications. Clicking on an edge that represents similarity betweendocuments can open up a list of similarity factors, such as commonwords, subjects, style, or the like. An edge may represent either anexplicit connection between two vertices, such as a direct communicationbetween two persons, or an implicit connection, such as a phone callbetween one of the persons to a third person, followed by a phone callbetween the third person and the second person. FIG. 3 shows aconnection map, concentrating on vertices 306 and 310. Suppose thatvertices in FIG. 3 represent persons, whilst edges represent theexistence of communications between persons. However, the same map canalso represent documents and similarities or other contents. Vertex 308is hollow, while vertex 312 is solid, vertex 306 has a hollow frame andvertex 310 has a solid frame. These characteristics can representdifferent concepts related to the entities represented by the vertices.For example, if a vertex represents a person, the different graphiccharacteristics can represent being a major target, a minor target,non-target, or an organization rather than a person. The edge connecting306 and 310 is thick, and therefore represents intensive communicationbetween 306 and to 310. It is an option to perform additional analysisand adjustments on the map, for example, adding an edge between 306 and316, since edges 306-310 and 310-316 indicate intensive communications.Alternatively, it is possible to filter information in order to enhanceclarity. Thus, a user can request to see only edges having apredetermined intensity level and higher, only edges between targets,only edges for which the communication occurred during a predeterminedperiod of time, only direct edges, only edges representing communicationwith at most a predetermined number of intermediate connections, orother content according to a predetermined criteria.

Referring now to FIG. 4, showing a preferred embodiment of an apparatusimplementing the methods of the disclosed invention. The apparatuscomprises a server 400, which is accesses by one or more users using oneor more work stations, such as the exemplary workstation 1 (408) andworkstation 2 (412). Server 400 is connected to storage device 404,which comprises, or is connected to a database unit 430, comprising dataretention database 432, which comprises communication traffic storedrecords and to monitoring center database (MC DB) 436. Each of server400, workstation 1 (408) and workstation 2 (412) is preferably acomputing platform, such as a personal computer, a mainframe computer,or any other type of computing platform that is preferably provisionedwith a memory device (not shown), a CPU or microprocessor device, andseveral I/O ports (not shown). Alternatively, each of server 400,workstation 1 (408) and workstation 2 (412) can be a DSP chip, an ASICdevice storing the commands and data necessary to execute the methods ofthe present invention, or the like. Workstation 1 (408) and workstation2 (412) are preferably provisioned with one or more input devices suchas a mouse, a keyboard, a joystick or others for receiving commands,queries or other inputs from a user, and with one or more outputdevices, such as a display 410 or 414 for outputting information to theuser. Each of storage device 404, CDR DB 423 and MC DB 436 preferablycomprises a physical storage such as a magnetic tape, a magnetic disc,an optical disc, a laser disc, a mass-storage device, or the like, andoptionally a management device or application, such as Microsoft SQLserver, manufactured by Microsoft of Redmond, Wash., USA. Server 400preferably further communicates through query server 420 with one ormore service provider databases such as service provider 1 database(440) or service provider 2 database (444)., Query server 420 isdesigned for generating and referring queries related to data items notappearing in data retention database 432 to service provider 1 database(440) or service provider 2. Additionally, query server 420 can addressqueries to storage 404, or any of databases 430. Results of queriesaddressed to service provider 1 database (440) or service provider 2database (444) are preferably intercepted by interception engine 422 andstored in databases 430, and in particular in data retention database432.

Server 400 is further responsible for processing the informationcomprised in storage device 404, using both content analysis tools forMC DB 436 information and traffic analysis tools for data retentiondatabase 432 information and MC DB 436 information. Server 400 comprisesengine components, preferably implemented as software applications or asadditional computing platforms connected to server 400. The engines aredesigned to process information stored on storage 404. The enginescomprise content analysis engines 416, which can comprise one or morecontent analysis tools for processing intercepted communications storedin MC DB 436, such as speech-to-text, word spotting, emotion detection,call flow analysis, and the like. Server 400 further comprises trafficanalysis engines 418 for processing or analyzing meta data stored indata retention database 432, optionally in conjunction with data from MCDB 436. Such analysis can be used to reveal direct or indirectcommunications between targets, documents or the like, identifycommunication patterns, group structure or the like. Data obtained formcontent analysis engines 416 of traffic analysis engines 418 can bestored in storage device 404, hence the bidirectional arrow connectingserver 400 and storage device 404. Another engine is display engine 422used for constructing a display of the obtained information, which willenable a user to receive clear and yet valuable information.Alternatively, display engine 422 or parts thereof can be a part ofworkstation1 408 or workstation2 412. Yet another engine is filteringengine 424 for filtering information, designed to limit the quantity ofdata received by a user to a manageable level. Sometime, a user may befaced with information overflow, in which case content based informationfiltering can help him or her concentrate on the important parts. Forexample the user may ask to see only connections between targets or dataitems that were labeled as relevant, only items having a high certaintydegree, or the like. Filtering can sometimes be viewed as limiting thenumber of vertices or edges in a graph as shown in association with FIG.3 above. Security engine 428 is designed to hide information from auser, based on security and privacy policies. For example, the identityof non-targets communicating with targets may be hidden from one or moreusers, although the mere fact that such communication took place may beexposed. The information is hidden or revealed according to the user,the context, privacy policy, the relevant parties and possiblyadditional factors. Engines 416, 420, 424 and 428 are preferablyimplemented as one or more sets of logically inter-related computerinstructions or programs and associated data structures that interact toperform the relevant activities. It will be appreciated by a personskilled in the art that the division of the collection of the computerinstructions, programs and data structures into the described engines isschematic, and other divisions or no division at all can be implemented.Alternatively, some engines may be omitted, replaced by others, or anyother variation which still maintains the spirit of the currentinvention.

The disclosed invention describes methods and apparatus for combiningconventional monitoring center techniques and methodologies related tolawful interception and analysis of the intercepted communications, withanalysis of data collected by service providers, in order to revealconnections and communications between targets or other entities, whichcould not be identified otherwise. Combining traffic analysis techniqueswith monitoring center interception can thus assist in identifyingsuspects based on communication patterns, identifying additionalcommunication devices of known targets, identifying target groups andrelations within a group, and finding direct or to indirect linksbetween targets. The disclosed methods provide a user with a high degreeof flexibility, in order to let him or her concentrate on persons,communication or other entities that seem important, without losing thegreater picture.

It will be appreciated by persons skilled in the art that manyalternatives and variations exist to the described methods andapparatus. The distribution of the different analysis functions betweenthe components shown in FIG. 4 can be different, for example moreanalysis tasks can be performed by the workstations themselves.Alternatively, some of the queries performed by query engine 420 can beperformed by storage device 404, or other variations. As for thepresentation, variation schemes other than the connection map shown onFIG. 4 can be designed, and additional features can be added to enablean investigator easy access to information. In addition, other sourcesof information can be incorporated and used within the system, andadditional analysis types can be integrated.

It will be appreciated by persons skilled in the art that the presentinvention is not limited to what has been particularly shown anddescribed hereinabove. Rather the scope of the present invention isdefined only by the claims which follow.

1. A method for integrating data or content of intercepted communication with an at least one stored record, the method comprising the steps of: receiving from an interception source data or content of the intercepted communication in which a target participates, the communication intercepted in accordance with a warrant; receiving an at least one stored record from a data retention source; and analyzing and integrating the at least one stored record in association with the intercepted communication data or content.
 2. The method of claim 1 wherein the at least one stored record is a communication traffic stored record.
 3. The method of claim 1 wherein the at least one stored record is a non-communication traffic stored record.
 4. The method of claim 3 wherein the at least one stored record is selected from the group consisting of: a customer record, a financial record, and a travel record.
 5. The method of claim 1 further comprising a querying step for querying the data retention source.
 6. The method of claim 1 further comprising a data retrieval step according to one or more criteria.
 7. The method of claim 1 wherein the stored record comprises information which is a response to a query addressed to the data retention source.
 8. The method of claim 1 further comprising a display step for displaying information to a user.
 9. The method of claim 8 wherein the display step displays any one of the following: an at least one result associated with the analyzing step, raw data, or information related to an operation performed by the user.
 10. The method of claim 8 wherein the display step provides graphic presentation of information.
 11. The method of claim 10 wherein the graphic representation comprises an at least one connection map.
 12. The method of claim 8 wherein the display step provides textual presentation of information.
 13. The method of claim 1 further comprising an abstraction step for eliminating information from the at least one stored record.
 14. The method of claim 13 wherein the information being eliminated is identifying information.
 15. The method of claim 1 further comprising a formatting step for formatting the intercepted communication data or content, or the at least one stored record.
 16. The method of claim 1 further comprising a storing step for storing the intercepted communication data or content, or the at least one stored record.
 17. The method of claim 16 wherein the storing step stores the intercepted communication data or content, or the at least one stored record in a database.
 18. The method of claim 1 wherein the data retention source is external to an operator of the interception source.
 19. An apparatus for integrating data or content of intercepted communication associated with a target and captured in accordance with a warrant, with at least one stored record, the apparatus comprising: an at least one storage device for storing the data or content of the intercepted communication, or the at least one stored record; an at least one server comprising an at least one engine for processing information stored in the storage device and integrating the at least one stored record in association with the data or content of the intercepted communication; an at least one computing platform comprising an at least one display device for displaying to a user an at least one result obtained by the at least one engine; and an at least one connection to an at least one service provider database.
 20. The apparatus of claim 19 wherein the at least one engine is any of the group of: an analysis engine; a query engine; a filtering engine; or a security engine.
 21. The apparatus of claim 19 further comprising an at least one interception engine for capturing an at least one record from the at least one service provider database.
 22. The apparatus of claim 19 wherein the storage device is associated with a monitoring center database or with a call detail record database or with an interne protocol detail record.
 23. The apparatus of claim 19 wherein the at least one data record is received from a source external to an operator of the interception source.
 24. A tangible computer readable storage medium containing a set of instructions for a general purpose computer, the set of instructions comprising: receiving from an interception source data or content of intercepted communication in which a target participates, the communication intercepted in accordance with a warrant; receiving an at least one stored record from a data retention source; and analyzing and integrating the at least one stored record in association with the data or content of the intercepted communication. 